CRED: Fix double free in prepare_usermodehelper_creds() error handling
[linux-2.6.git] / kernel / cred.c
1 /* Task credentials management - see Documentation/credentials.txt
2  *
3  * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public Licence
8  * as published by the Free Software Foundation; either version
9  * 2 of the Licence, or (at your option) any later version.
10  */
11 #include <linux/module.h>
12 #include <linux/cred.h>
13 #include <linux/slab.h>
14 #include <linux/sched.h>
15 #include <linux/key.h>
16 #include <linux/keyctl.h>
17 #include <linux/init_task.h>
18 #include <linux/security.h>
19 #include <linux/cn_proc.h>
20 #include "cred-internals.h"
21
22 #if 0
23 #define kdebug(FMT, ...) \
24         printk("[%-5.5s%5u] "FMT"\n", current->comm, current->pid ,##__VA_ARGS__)
25 #else
26 static inline __attribute__((format(printf, 1, 2)))
27 void no_printk(const char *fmt, ...)
28 {
29 }
30 #define kdebug(FMT, ...) \
31         no_printk("[%-5.5s%5u] "FMT"\n", current->comm, current->pid ,##__VA_ARGS__)
32 #endif
33
34 static struct kmem_cache *cred_jar;
35
36 /*
37  * The common credentials for the initial task's thread group
38  */
39 #ifdef CONFIG_KEYS
40 static struct thread_group_cred init_tgcred = {
41         .usage  = ATOMIC_INIT(2),
42         .tgid   = 0,
43         .lock   = SPIN_LOCK_UNLOCKED,
44 };
45 #endif
46
47 /*
48  * The initial credentials for the initial task
49  */
50 struct cred init_cred = {
51         .usage                  = ATOMIC_INIT(4),
52 #ifdef CONFIG_DEBUG_CREDENTIALS
53         .subscribers            = ATOMIC_INIT(2),
54         .magic                  = CRED_MAGIC,
55 #endif
56         .securebits             = SECUREBITS_DEFAULT,
57         .cap_inheritable        = CAP_INIT_INH_SET,
58         .cap_permitted          = CAP_FULL_SET,
59         .cap_effective          = CAP_INIT_EFF_SET,
60         .cap_bset               = CAP_INIT_BSET,
61         .user                   = INIT_USER,
62         .group_info             = &init_groups,
63 #ifdef CONFIG_KEYS
64         .tgcred                 = &init_tgcred,
65 #endif
66 };
67
68 static inline void set_cred_subscribers(struct cred *cred, int n)
69 {
70 #ifdef CONFIG_DEBUG_CREDENTIALS
71         atomic_set(&cred->subscribers, n);
72 #endif
73 }
74
75 static inline int read_cred_subscribers(const struct cred *cred)
76 {
77 #ifdef CONFIG_DEBUG_CREDENTIALS
78         return atomic_read(&cred->subscribers);
79 #else
80         return 0;
81 #endif
82 }
83
84 static inline void alter_cred_subscribers(const struct cred *_cred, int n)
85 {
86 #ifdef CONFIG_DEBUG_CREDENTIALS
87         struct cred *cred = (struct cred *) _cred;
88
89         atomic_add(n, &cred->subscribers);
90 #endif
91 }
92
93 /*
94  * Dispose of the shared task group credentials
95  */
96 #ifdef CONFIG_KEYS
97 static void release_tgcred_rcu(struct rcu_head *rcu)
98 {
99         struct thread_group_cred *tgcred =
100                 container_of(rcu, struct thread_group_cred, rcu);
101
102         BUG_ON(atomic_read(&tgcred->usage) != 0);
103
104         key_put(tgcred->session_keyring);
105         key_put(tgcred->process_keyring);
106         kfree(tgcred);
107 }
108 #endif
109
110 /*
111  * Release a set of thread group credentials.
112  */
113 static void release_tgcred(struct cred *cred)
114 {
115 #ifdef CONFIG_KEYS
116         struct thread_group_cred *tgcred = cred->tgcred;
117
118         if (atomic_dec_and_test(&tgcred->usage))
119                 call_rcu(&tgcred->rcu, release_tgcred_rcu);
120 #endif
121 }
122
123 /*
124  * The RCU callback to actually dispose of a set of credentials
125  */
126 static void put_cred_rcu(struct rcu_head *rcu)
127 {
128         struct cred *cred = container_of(rcu, struct cred, rcu);
129
130         kdebug("put_cred_rcu(%p)", cred);
131
132 #ifdef CONFIG_DEBUG_CREDENTIALS
133         if (cred->magic != CRED_MAGIC_DEAD ||
134             atomic_read(&cred->usage) != 0 ||
135             read_cred_subscribers(cred) != 0)
136                 panic("CRED: put_cred_rcu() sees %p with"
137                       " mag %x, put %p, usage %d, subscr %d\n",
138                       cred, cred->magic, cred->put_addr,
139                       atomic_read(&cred->usage),
140                       read_cred_subscribers(cred));
141 #else
142         if (atomic_read(&cred->usage) != 0)
143                 panic("CRED: put_cred_rcu() sees %p with usage %d\n",
144                       cred, atomic_read(&cred->usage));
145 #endif
146
147         security_cred_free(cred);
148         key_put(cred->thread_keyring);
149         key_put(cred->request_key_auth);
150         release_tgcred(cred);
151         if (cred->group_info)
152                 put_group_info(cred->group_info);
153         free_uid(cred->user);
154         kmem_cache_free(cred_jar, cred);
155 }
156
157 /**
158  * __put_cred - Destroy a set of credentials
159  * @cred: The record to release
160  *
161  * Destroy a set of credentials on which no references remain.
162  */
163 void __put_cred(struct cred *cred)
164 {
165         kdebug("__put_cred(%p{%d,%d})", cred,
166                atomic_read(&cred->usage),
167                read_cred_subscribers(cred));
168
169         BUG_ON(atomic_read(&cred->usage) != 0);
170 #ifdef CONFIG_DEBUG_CREDENTIALS
171         BUG_ON(read_cred_subscribers(cred) != 0);
172         cred->magic = CRED_MAGIC_DEAD;
173         cred->put_addr = __builtin_return_address(0);
174 #endif
175         BUG_ON(cred == current->cred);
176         BUG_ON(cred == current->real_cred);
177
178         call_rcu(&cred->rcu, put_cred_rcu);
179 }
180 EXPORT_SYMBOL(__put_cred);
181
182 /*
183  * Clean up a task's credentials when it exits
184  */
185 void exit_creds(struct task_struct *tsk)
186 {
187         struct cred *cred;
188
189         kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
190                atomic_read(&tsk->cred->usage),
191                read_cred_subscribers(tsk->cred));
192
193         cred = (struct cred *) tsk->real_cred;
194         tsk->real_cred = NULL;
195         validate_creds(cred);
196         alter_cred_subscribers(cred, -1);
197         put_cred(cred);
198
199         cred = (struct cred *) tsk->cred;
200         tsk->cred = NULL;
201         validate_creds(cred);
202         alter_cred_subscribers(cred, -1);
203         put_cred(cred);
204
205         cred = (struct cred *) tsk->replacement_session_keyring;
206         if (cred) {
207                 tsk->replacement_session_keyring = NULL;
208                 validate_creds(cred);
209                 put_cred(cred);
210         }
211 }
212
213 /*
214  * Allocate blank credentials, such that the credentials can be filled in at a
215  * later date without risk of ENOMEM.
216  */
217 struct cred *cred_alloc_blank(void)
218 {
219         struct cred *new;
220
221         new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
222         if (!new)
223                 return NULL;
224
225 #ifdef CONFIG_KEYS
226         new->tgcred = kzalloc(sizeof(*new->tgcred), GFP_KERNEL);
227         if (!new->tgcred) {
228                 kmem_cache_free(cred_jar, new);
229                 return NULL;
230         }
231         atomic_set(&new->tgcred->usage, 1);
232 #endif
233
234         atomic_set(&new->usage, 1);
235
236         if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
237                 goto error;
238
239 #ifdef CONFIG_DEBUG_CREDENTIALS
240         new->magic = CRED_MAGIC;
241 #endif
242         return new;
243
244 error:
245         abort_creds(new);
246         return NULL;
247 }
248
249 /**
250  * prepare_creds - Prepare a new set of credentials for modification
251  *
252  * Prepare a new set of task credentials for modification.  A task's creds
253  * shouldn't generally be modified directly, therefore this function is used to
254  * prepare a new copy, which the caller then modifies and then commits by
255  * calling commit_creds().
256  *
257  * Preparation involves making a copy of the objective creds for modification.
258  *
259  * Returns a pointer to the new creds-to-be if successful, NULL otherwise.
260  *
261  * Call commit_creds() or abort_creds() to clean up.
262  */
263 struct cred *prepare_creds(void)
264 {
265         struct task_struct *task = current;
266         const struct cred *old;
267         struct cred *new;
268
269         validate_process_creds();
270
271         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
272         if (!new)
273                 return NULL;
274
275         kdebug("prepare_creds() alloc %p", new);
276
277         old = task->cred;
278         memcpy(new, old, sizeof(struct cred));
279
280         atomic_set(&new->usage, 1);
281         set_cred_subscribers(new, 0);
282         get_group_info(new->group_info);
283         get_uid(new->user);
284
285 #ifdef CONFIG_KEYS
286         key_get(new->thread_keyring);
287         key_get(new->request_key_auth);
288         atomic_inc(&new->tgcred->usage);
289 #endif
290
291 #ifdef CONFIG_SECURITY
292         new->security = NULL;
293 #endif
294
295         if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
296                 goto error;
297         validate_creds(new);
298         return new;
299
300 error:
301         abort_creds(new);
302         return NULL;
303 }
304 EXPORT_SYMBOL(prepare_creds);
305
306 /*
307  * Prepare credentials for current to perform an execve()
308  * - The caller must hold current->cred_guard_mutex
309  */
310 struct cred *prepare_exec_creds(void)
311 {
312         struct thread_group_cred *tgcred = NULL;
313         struct cred *new;
314
315 #ifdef CONFIG_KEYS
316         tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
317         if (!tgcred)
318                 return NULL;
319 #endif
320
321         new = prepare_creds();
322         if (!new) {
323                 kfree(tgcred);
324                 return new;
325         }
326
327 #ifdef CONFIG_KEYS
328         /* newly exec'd tasks don't get a thread keyring */
329         key_put(new->thread_keyring);
330         new->thread_keyring = NULL;
331
332         /* create a new per-thread-group creds for all this set of threads to
333          * share */
334         memcpy(tgcred, new->tgcred, sizeof(struct thread_group_cred));
335
336         atomic_set(&tgcred->usage, 1);
337         spin_lock_init(&tgcred->lock);
338
339         /* inherit the session keyring; new process keyring */
340         key_get(tgcred->session_keyring);
341         tgcred->process_keyring = NULL;
342
343         release_tgcred(new);
344         new->tgcred = tgcred;
345 #endif
346
347         return new;
348 }
349
350 /*
351  * prepare new credentials for the usermode helper dispatcher
352  */
353 struct cred *prepare_usermodehelper_creds(void)
354 {
355 #ifdef CONFIG_KEYS
356         struct thread_group_cred *tgcred = NULL;
357 #endif
358         struct cred *new;
359
360 #ifdef CONFIG_KEYS
361         tgcred = kzalloc(sizeof(*new->tgcred), GFP_ATOMIC);
362         if (!tgcred)
363                 return NULL;
364 #endif
365
366         new = kmem_cache_alloc(cred_jar, GFP_ATOMIC);
367         if (!new)
368                 goto free_tgcred;
369
370         kdebug("prepare_usermodehelper_creds() alloc %p", new);
371
372         memcpy(new, &init_cred, sizeof(struct cred));
373
374         atomic_set(&new->usage, 1);
375         set_cred_subscribers(new, 0);
376         get_group_info(new->group_info);
377         get_uid(new->user);
378
379 #ifdef CONFIG_KEYS
380         new->thread_keyring = NULL;
381         new->request_key_auth = NULL;
382         new->jit_keyring = KEY_REQKEY_DEFL_DEFAULT;
383
384         atomic_set(&tgcred->usage, 1);
385         spin_lock_init(&tgcred->lock);
386         new->tgcred = tgcred;
387 #endif
388
389 #ifdef CONFIG_SECURITY
390         new->security = NULL;
391 #endif
392         if (security_prepare_creds(new, &init_cred, GFP_ATOMIC) < 0)
393                 goto error;
394         validate_creds(new);
395
396         BUG_ON(atomic_read(&new->usage) != 1);
397         return new;
398
399 error:
400         put_cred(new);
401         return NULL;
402
403 free_tgcred:
404 #ifdef CONFIG_KEYS
405         kfree(tgcred);
406 #endif
407         return NULL;
408 }
409
410 /*
411  * Copy credentials for the new process created by fork()
412  *
413  * We share if we can, but under some circumstances we have to generate a new
414  * set.
415  *
416  * The new process gets the current process's subjective credentials as its
417  * objective and subjective credentials
418  */
419 int copy_creds(struct task_struct *p, unsigned long clone_flags)
420 {
421 #ifdef CONFIG_KEYS
422         struct thread_group_cred *tgcred;
423 #endif
424         struct cred *new;
425         int ret;
426
427         mutex_init(&p->cred_guard_mutex);
428
429         if (
430 #ifdef CONFIG_KEYS
431                 !p->cred->thread_keyring &&
432 #endif
433                 clone_flags & CLONE_THREAD
434             ) {
435                 p->real_cred = get_cred(p->cred);
436                 get_cred(p->cred);
437                 alter_cred_subscribers(p->cred, 2);
438                 kdebug("share_creds(%p{%d,%d})",
439                        p->cred, atomic_read(&p->cred->usage),
440                        read_cred_subscribers(p->cred));
441                 atomic_inc(&p->cred->user->processes);
442                 return 0;
443         }
444
445         new = prepare_creds();
446         if (!new)
447                 return -ENOMEM;
448
449         if (clone_flags & CLONE_NEWUSER) {
450                 ret = create_user_ns(new);
451                 if (ret < 0)
452                         goto error_put;
453         }
454
455 #ifdef CONFIG_KEYS
456         /* new threads get their own thread keyrings if their parent already
457          * had one */
458         if (new->thread_keyring) {
459                 key_put(new->thread_keyring);
460                 new->thread_keyring = NULL;
461                 if (clone_flags & CLONE_THREAD)
462                         install_thread_keyring_to_cred(new);
463         }
464
465         /* we share the process and session keyrings between all the threads in
466          * a process - this is slightly icky as we violate COW credentials a
467          * bit */
468         if (!(clone_flags & CLONE_THREAD)) {
469                 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
470                 if (!tgcred) {
471                         ret = -ENOMEM;
472                         goto error_put;
473                 }
474                 atomic_set(&tgcred->usage, 1);
475                 spin_lock_init(&tgcred->lock);
476                 tgcred->process_keyring = NULL;
477                 tgcred->session_keyring = key_get(new->tgcred->session_keyring);
478
479                 release_tgcred(new);
480                 new->tgcred = tgcred;
481         }
482 #endif
483
484         atomic_inc(&new->user->processes);
485         p->cred = p->real_cred = get_cred(new);
486         alter_cred_subscribers(new, 2);
487         validate_creds(new);
488         return 0;
489
490 error_put:
491         put_cred(new);
492         return ret;
493 }
494
495 /**
496  * commit_creds - Install new credentials upon the current task
497  * @new: The credentials to be assigned
498  *
499  * Install a new set of credentials to the current task, using RCU to replace
500  * the old set.  Both the objective and the subjective credentials pointers are
501  * updated.  This function may not be called if the subjective credentials are
502  * in an overridden state.
503  *
504  * This function eats the caller's reference to the new credentials.
505  *
506  * Always returns 0 thus allowing this function to be tail-called at the end
507  * of, say, sys_setgid().
508  */
509 int commit_creds(struct cred *new)
510 {
511         struct task_struct *task = current;
512         const struct cred *old = task->real_cred;
513
514         kdebug("commit_creds(%p{%d,%d})", new,
515                atomic_read(&new->usage),
516                read_cred_subscribers(new));
517
518         BUG_ON(task->cred != old);
519 #ifdef CONFIG_DEBUG_CREDENTIALS
520         BUG_ON(read_cred_subscribers(old) < 2);
521         validate_creds(old);
522         validate_creds(new);
523 #endif
524         BUG_ON(atomic_read(&new->usage) < 1);
525
526         security_commit_creds(new, old);
527
528         get_cred(new); /* we will require a ref for the subj creds too */
529
530         /* dumpability changes */
531         if (old->euid != new->euid ||
532             old->egid != new->egid ||
533             old->fsuid != new->fsuid ||
534             old->fsgid != new->fsgid ||
535             !cap_issubset(new->cap_permitted, old->cap_permitted)) {
536                 if (task->mm)
537                         set_dumpable(task->mm, suid_dumpable);
538                 task->pdeath_signal = 0;
539                 smp_wmb();
540         }
541
542         /* alter the thread keyring */
543         if (new->fsuid != old->fsuid)
544                 key_fsuid_changed(task);
545         if (new->fsgid != old->fsgid)
546                 key_fsgid_changed(task);
547
548         /* do it
549          * - What if a process setreuid()'s and this brings the
550          *   new uid over his NPROC rlimit?  We can check this now
551          *   cheaply with the new uid cache, so if it matters
552          *   we should be checking for it.  -DaveM
553          */
554         alter_cred_subscribers(new, 2);
555         if (new->user != old->user)
556                 atomic_inc(&new->user->processes);
557         rcu_assign_pointer(task->real_cred, new);
558         rcu_assign_pointer(task->cred, new);
559         if (new->user != old->user)
560                 atomic_dec(&old->user->processes);
561         alter_cred_subscribers(old, -2);
562
563         sched_switch_user(task);
564
565         /* send notifications */
566         if (new->uid   != old->uid  ||
567             new->euid  != old->euid ||
568             new->suid  != old->suid ||
569             new->fsuid != old->fsuid)
570                 proc_id_connector(task, PROC_EVENT_UID);
571
572         if (new->gid   != old->gid  ||
573             new->egid  != old->egid ||
574             new->sgid  != old->sgid ||
575             new->fsgid != old->fsgid)
576                 proc_id_connector(task, PROC_EVENT_GID);
577
578         /* release the old obj and subj refs both */
579         put_cred(old);
580         put_cred(old);
581         return 0;
582 }
583 EXPORT_SYMBOL(commit_creds);
584
585 /**
586  * abort_creds - Discard a set of credentials and unlock the current task
587  * @new: The credentials that were going to be applied
588  *
589  * Discard a set of credentials that were under construction and unlock the
590  * current task.
591  */
592 void abort_creds(struct cred *new)
593 {
594         kdebug("abort_creds(%p{%d,%d})", new,
595                atomic_read(&new->usage),
596                read_cred_subscribers(new));
597
598 #ifdef CONFIG_DEBUG_CREDENTIALS
599         BUG_ON(read_cred_subscribers(new) != 0);
600 #endif
601         BUG_ON(atomic_read(&new->usage) < 1);
602         put_cred(new);
603 }
604 EXPORT_SYMBOL(abort_creds);
605
606 /**
607  * override_creds - Override the current process's subjective credentials
608  * @new: The credentials to be assigned
609  *
610  * Install a set of temporary override subjective credentials on the current
611  * process, returning the old set for later reversion.
612  */
613 const struct cred *override_creds(const struct cred *new)
614 {
615         const struct cred *old = current->cred;
616
617         kdebug("override_creds(%p{%d,%d})", new,
618                atomic_read(&new->usage),
619                read_cred_subscribers(new));
620
621         validate_creds(old);
622         validate_creds(new);
623         get_cred(new);
624         alter_cred_subscribers(new, 1);
625         rcu_assign_pointer(current->cred, new);
626         alter_cred_subscribers(old, -1);
627
628         kdebug("override_creds() = %p{%d,%d}", old,
629                atomic_read(&old->usage),
630                read_cred_subscribers(old));
631         return old;
632 }
633 EXPORT_SYMBOL(override_creds);
634
635 /**
636  * revert_creds - Revert a temporary subjective credentials override
637  * @old: The credentials to be restored
638  *
639  * Revert a temporary set of override subjective credentials to an old set,
640  * discarding the override set.
641  */
642 void revert_creds(const struct cred *old)
643 {
644         const struct cred *override = current->cred;
645
646         kdebug("revert_creds(%p{%d,%d})", old,
647                atomic_read(&old->usage),
648                read_cred_subscribers(old));
649
650         validate_creds(old);
651         validate_creds(override);
652         alter_cred_subscribers(old, 1);
653         rcu_assign_pointer(current->cred, old);
654         alter_cred_subscribers(override, -1);
655         put_cred(override);
656 }
657 EXPORT_SYMBOL(revert_creds);
658
659 /*
660  * initialise the credentials stuff
661  */
662 void __init cred_init(void)
663 {
664         /* allocate a slab in which we can store credentials */
665         cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred),
666                                      0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
667 }
668
669 /**
670  * prepare_kernel_cred - Prepare a set of credentials for a kernel service
671  * @daemon: A userspace daemon to be used as a reference
672  *
673  * Prepare a set of credentials for a kernel service.  This can then be used to
674  * override a task's own credentials so that work can be done on behalf of that
675  * task that requires a different subjective context.
676  *
677  * @daemon is used to provide a base for the security record, but can be NULL.
678  * If @daemon is supplied, then the security data will be derived from that;
679  * otherwise they'll be set to 0 and no groups, full capabilities and no keys.
680  *
681  * The caller may change these controls afterwards if desired.
682  *
683  * Returns the new credentials or NULL if out of memory.
684  *
685  * Does not take, and does not return holding current->cred_replace_mutex.
686  */
687 struct cred *prepare_kernel_cred(struct task_struct *daemon)
688 {
689         const struct cred *old;
690         struct cred *new;
691
692         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
693         if (!new)
694                 return NULL;
695
696         kdebug("prepare_kernel_cred() alloc %p", new);
697
698         if (daemon)
699                 old = get_task_cred(daemon);
700         else
701                 old = get_cred(&init_cred);
702
703         validate_creds(old);
704
705         *new = *old;
706         get_uid(new->user);
707         get_group_info(new->group_info);
708
709 #ifdef CONFIG_KEYS
710         atomic_inc(&init_tgcred.usage);
711         new->tgcred = &init_tgcred;
712         new->request_key_auth = NULL;
713         new->thread_keyring = NULL;
714         new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
715 #endif
716
717 #ifdef CONFIG_SECURITY
718         new->security = NULL;
719 #endif
720         if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
721                 goto error;
722
723         atomic_set(&new->usage, 1);
724         set_cred_subscribers(new, 0);
725         put_cred(old);
726         validate_creds(new);
727         return new;
728
729 error:
730         put_cred(new);
731         put_cred(old);
732         return NULL;
733 }
734 EXPORT_SYMBOL(prepare_kernel_cred);
735
736 /**
737  * set_security_override - Set the security ID in a set of credentials
738  * @new: The credentials to alter
739  * @secid: The LSM security ID to set
740  *
741  * Set the LSM security ID in a set of credentials so that the subjective
742  * security is overridden when an alternative set of credentials is used.
743  */
744 int set_security_override(struct cred *new, u32 secid)
745 {
746         return security_kernel_act_as(new, secid);
747 }
748 EXPORT_SYMBOL(set_security_override);
749
750 /**
751  * set_security_override_from_ctx - Set the security ID in a set of credentials
752  * @new: The credentials to alter
753  * @secctx: The LSM security context to generate the security ID from.
754  *
755  * Set the LSM security ID in a set of credentials so that the subjective
756  * security is overridden when an alternative set of credentials is used.  The
757  * security ID is specified in string form as a security context to be
758  * interpreted by the LSM.
759  */
760 int set_security_override_from_ctx(struct cred *new, const char *secctx)
761 {
762         u32 secid;
763         int ret;
764
765         ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
766         if (ret < 0)
767                 return ret;
768
769         return set_security_override(new, secid);
770 }
771 EXPORT_SYMBOL(set_security_override_from_ctx);
772
773 /**
774  * set_create_files_as - Set the LSM file create context in a set of credentials
775  * @new: The credentials to alter
776  * @inode: The inode to take the context from
777  *
778  * Change the LSM file creation context in a set of credentials to be the same
779  * as the object context of the specified inode, so that the new inodes have
780  * the same MAC context as that inode.
781  */
782 int set_create_files_as(struct cred *new, struct inode *inode)
783 {
784         new->fsuid = inode->i_uid;
785         new->fsgid = inode->i_gid;
786         return security_kernel_create_files_as(new, inode);
787 }
788 EXPORT_SYMBOL(set_create_files_as);
789
790 #ifdef CONFIG_DEBUG_CREDENTIALS
791
792 bool creds_are_invalid(const struct cred *cred)
793 {
794         if (cred->magic != CRED_MAGIC)
795                 return true;
796         if (atomic_read(&cred->usage) < atomic_read(&cred->subscribers))
797                 return true;
798 #ifdef CONFIG_SECURITY_SELINUX
799         if (selinux_is_enabled()) {
800                 if ((unsigned long) cred->security < PAGE_SIZE)
801                         return true;
802                 if ((*(u32 *)cred->security & 0xffffff00) ==
803                     (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
804                         return true;
805         }
806 #endif
807         return false;
808 }
809 EXPORT_SYMBOL(creds_are_invalid);
810
811 /*
812  * dump invalid credentials
813  */
814 static void dump_invalid_creds(const struct cred *cred, const char *label,
815                                const struct task_struct *tsk)
816 {
817         printk(KERN_ERR "CRED: %s credentials: %p %s%s%s\n",
818                label, cred,
819                cred == &init_cred ? "[init]" : "",
820                cred == tsk->real_cred ? "[real]" : "",
821                cred == tsk->cred ? "[eff]" : "");
822         printk(KERN_ERR "CRED: ->magic=%x, put_addr=%p\n",
823                cred->magic, cred->put_addr);
824         printk(KERN_ERR "CRED: ->usage=%d, subscr=%d\n",
825                atomic_read(&cred->usage),
826                read_cred_subscribers(cred));
827         printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
828                cred->uid, cred->euid, cred->suid, cred->fsuid);
829         printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
830                cred->gid, cred->egid, cred->sgid, cred->fsgid);
831 #ifdef CONFIG_SECURITY
832         printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
833         if ((unsigned long) cred->security >= PAGE_SIZE &&
834             (((unsigned long) cred->security & 0xffffff00) !=
835              (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)))
836                 printk(KERN_ERR "CRED: ->security {%x, %x}\n",
837                        ((u32*)cred->security)[0],
838                        ((u32*)cred->security)[1]);
839 #endif
840 }
841
842 /*
843  * report use of invalid credentials
844  */
845 void __invalid_creds(const struct cred *cred, const char *file, unsigned line)
846 {
847         printk(KERN_ERR "CRED: Invalid credentials\n");
848         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
849         dump_invalid_creds(cred, "Specified", current);
850         BUG();
851 }
852 EXPORT_SYMBOL(__invalid_creds);
853
854 /*
855  * check the credentials on a process
856  */
857 void __validate_process_creds(struct task_struct *tsk,
858                               const char *file, unsigned line)
859 {
860         if (tsk->cred == tsk->real_cred) {
861                 if (unlikely(read_cred_subscribers(tsk->cred) < 2 ||
862                              creds_are_invalid(tsk->cred)))
863                         goto invalid_creds;
864         } else {
865                 if (unlikely(read_cred_subscribers(tsk->real_cred) < 1 ||
866                              read_cred_subscribers(tsk->cred) < 1 ||
867                              creds_are_invalid(tsk->real_cred) ||
868                              creds_are_invalid(tsk->cred)))
869                         goto invalid_creds;
870         }
871         return;
872
873 invalid_creds:
874         printk(KERN_ERR "CRED: Invalid process credentials\n");
875         printk(KERN_ERR "CRED: At %s:%u\n", file, line);
876
877         dump_invalid_creds(tsk->real_cred, "Real", tsk);
878         if (tsk->cred != tsk->real_cred)
879                 dump_invalid_creds(tsk->cred, "Effective", tsk);
880         else
881                 printk(KERN_ERR "CRED: Effective creds == Real creds\n");
882         BUG();
883 }
884 EXPORT_SYMBOL(__validate_process_creds);
885
886 /*
887  * check creds for do_exit()
888  */
889 void validate_creds_for_do_exit(struct task_struct *tsk)
890 {
891         kdebug("validate_creds_for_do_exit(%p,%p{%d,%d})",
892                tsk->real_cred, tsk->cred,
893                atomic_read(&tsk->cred->usage),
894                read_cred_subscribers(tsk->cred));
895
896         __validate_process_creds(tsk, __FILE__, __LINE__);
897 }
898
899 #endif /* CONFIG_DEBUG_CREDENTIALS */